Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 136

Posted on by

I love Office-based Persistence mechanisms, because there is always… one more to discover 🙂

Take your Winword.exe from Office 2021 or Office 365. When it loads, it check if the following value exists in Registry and is not equal 0:

HKCU\SOFTWARE\Microsoft\Office\16.0\Word\WwlibtDll != 0

And if it is the case… instead of loading wwlib.dll, it will load wwlibt.dll.

So, place your payload in wwlibt.dll and winword will load it for you.

This trick can be used as a traditional sideloading LOLBIN, and as a persistence mechanism, because wwlibt.dll could be made to load the wwlib.dll. Or, could temporary remove the value inRegistry and re-launch winword.exe.

Interestingly, PowerPoint has the same ‘feature’:

HKCU\SOFTWARE\Microsoft\Office\16.0\PowerPoint\PPCoreTDLL != 0

and the DLL name is ppcoret.dll (instead of ppcore.dll).

Beyond good ol’ Run key, Part 135

Posted on by

These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? 🙂

Still, good to document some of it in a more permanent way so this is the persistence bit I posted about yesterday:

A number of tools inside the c:\WINDOWS\system32\oobe\ folder:

  • audit.exe
  • oobeldr.exe
  • Setup.exe
  • windeploy.exe
  • winsetup.dll

include references to c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd.

Turns out, if you drop your payload to c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd the c:\WINDOWS\system32\oobe\Setup.exe will load it anytime there is an error. The most trivial way to trigger it is by running setup.exe w/o any arguments.

I have not checked the other executables, but it’s most likely the case as well.